NSW agencies fear cyberattacks after report finds ‘significant weaknesses’

The nine state government agencies audited asked the auditor general to not report the findings to Parliament, fearing it would expose weaknesses to cyberattackers.

Significant weaknesses and noncompliance were found in an audit of nine New South Wales state government agencies, according to the latest Audit Office of New South Wales report on cybersecurity compliance. The audit was done against the NSW Cyber Security policy (CSP).

The agencies audited were Department of Premier and Cabinet; Department of Communities and Justice; Department of Customer Service; Department of Education; Department of Planning, Industry, and Environment; Department of Regional NSW; Ministry of Health; Treasury; and Transport for NSW, specifically the former functions of Roads and Maritime Services.

Audit findings show poor cybersecurity efforts by NSW agencies

The audit assessed nine agencies’ compliance with the NSW CSP in 2020 as of 30 June 2020. The NSW CSP replaced the NSW Digital Information Security Policy on 1 February 2019.

The audit found deficiencies in reporting, self-assessment, maturity levels, and actions taken. Some of the findings suggest agencies provided their assessments but without careful consideration of what they were expected to do. Some of the findings that suggest this include attestations did not accurately reflect whether agencies implemented the requirements. Of the nine participating agencies, seven did not modify the pro forma wording in their attestation to reflect their actual situation, with only two agencies changing the wording to reflect their actual situation.

To continue reading this article register now

Microsoft's very bad year for security: A timeline